The Problem With Two-Factor Authentication

Organizations, large and small, are moving to the cloud en masse. While the cloud offers clear benefits, there are also challenges when it comes to security. In the first post of this cloud security series, we outlined these challenges and explained the risks behind these challenges not being properly addressed.

In this second part of our series we will illustrate, from the mindset of both the attacker and the victim, how and why account takeovers occur.

Gaining Trust

For a successful account takeover to take place, the attacker must first gain their victim’s trust. Phishing attacks are the most common method for stealing log-in credentials from unsuspecting users.

By sending the victims emails that convincingly ask for their log-in information, for example, this email could be alerting them to a lack of remaining space left for emails, with a call-to-action of “click here to gain more space”, the victims are duped into believing that this malicious email really is from Microsoft, Google, or Facebook.

Example of a Fake ‘Office 365’ Phishing Email.

After proceeding to click on the link and entering their log-in credentials when prompted, the unsuspecting victim may also receive a push notification by SMS to his mobile device. This is mainly used to add an extra element of authenticity to the phishing scam, which the victim, having already trusted the initial source of the attack, will also likely approve and follow as instructed. Of course, as the victim unknowingly provides these sensitive login details to the attacker, the attacker uses them to gain access to the victim’s Office365 account, helping themselves to the private and confidential information stored there.

Example of Fake Office 365 Interface

Current Solutions

There are, of course, solutions to prevent such account takeovers taking place. These mainly involve multi-factor authentication methods and typically take the form of:

Physical Tokens

One Time Passwords via Push Notifications / SMS

These methods are, however, not without their problems.

For one, although physical tokens that need to be used with the device may be the most secure, they are cumbersome to implement, add more work for admins and often require the user to make additional inputs to the system they are logging in to. This, in turn, increases the hassle involved and decreases the user experience.

In addition, physical tokens often do not support mobile devices and thus leave users vulnerable when working from these devices, or blocked from using them altogether. With the ‘Beyond the Corporation’ model being so widely adopted by organizations worldwide, this is a worrying entry point of attack.

As mentioned earlier, the text message with the second factor (e.g. a PIN code) can easily be phished as the attacker would posing as the original user at the same time that the user is logging in to the phishing site; the user would get a true second factor PIN code by text and then proceed to post it to the malicious site. This site would then, in turn, post it to the SaaS provider site (e.g. Office 365).

A demonstration of bypassing the second authentication factor

Required Solutions

Due to the highly problematic nature of the current solutions, it is clear that a more developed and error-proof alternative is required for even the most sophisticated, both Office 365 and out-of-band (e.g. the hacking of 90 email accounts of members of the UK Parliament in June 2017), phishing attacks to be prevented.

This alternative solution should be able to work on any device, both managed and unmanaged, and including mobile native apps in order for it to be used everywhere and by anyone.

Also, in order to prevent account takeover one would need to make sure that any device that is granted access to the SaaS platform is clean and compliant with the security policy of the company to prevent devices with malware or OS exploits on them from logging in.

The solution required must also be hassle-free and provide the user with a seamless experience that does not detract from the usual process to access their account. At the same time, this solution must also have a low OPEX and work for the organization with as much ease as it does for the user.

In our next post in this cloud security series we will take a closer look at what these solutions may look like and how they can be implemented by organizations keen on staying safe from such damaging account takeovers.